Stupid Security Questions

I’ve always have a problem with security questions asked by banks and other financial institutions. For one part, these security questions are not really that secure and are easy to guess and reverse engineer. In 2008, the Republican vice-presidential candidate, Alaska Governor Sarah Palin’s email hacked by guessing the answers of security questions. From a Wired report on the account of the email crack.

The Palin hack didn’t require any real skill. Instead, the hacker simply reset Palin’s password using her birthdate, ZIP code and information about where she met her spouse — the security question on her Yahoo account, which was answered (Wasilla High) by a simple Google search.

Recently, it was reported that President Obama’s Twitter account was hacked by guessing the security question related to password recovery systems. These type of ‘hacks’ require no computer science degree, computer security expertise, or black hat hacking skills. This is the sort of ‘hacking’ that an ex might find themselves doing on your Facebook account. I would not put a lot of blame on curious kids with a lot of time on their hands and an internet connections, I put the blame on enterprise software architects that impose stupid and weak security systems in place.

At first, security questions consisted of naming the town you where born, or the maiden name of your mother. Then the progressed to the name of your third grade teacher, then the last name of your fifth girlfriend, then to the where you where in the 1989 Loma Prieta earthquake, and they have gotten worse since then. Here are some security questions I found myself forced to answer.

  • Who was your childhood hero?
  • What is the first and last name of your first boyfriend or girlfriend?
  • Which phone number do you remember most from your childhood?
  • What was your favorite place to visit as a child?
  • Who is your favorite actor, musician, or artist?
  • What was the last name of your third grade teacher?

The problem now, with the current trend of security questions, is that even I don’t know the answers to them or that their answer might change over time. Trying to answer any of the the above security questions in five years from now and you might sounds like the following… “I liked both Spiderman and Wolverine, but I might have answered Superman. I liked Britney Spears then, but not as much as Miley Cyrus, but wasn’t Lady Futura big then.”

I think that security questions are not secure or practical. They are a annoyance for users and high light security flaws in computer systems.

Here is a list of security questions considered good and notice that they all suffer from the issues outline here, they are either easy to guess or easy to forget.

  • What was your childhood nickname?
  • In what city did you meet your spouse/significant other?
  • What is the name of your favorite childhood friend?
  • What street did you live on in third grade?
  • What is your oldest sibling’s birthday month and year? (e.g., January 1900)
  • What is the middle name of your youngest child?
  • What is your oldest sibling’s middle name?
  • What school did you attend for sixth grade?
  • What was your childhood phone number including area code? (e.g., 000-000-0000)
  • What is your oldest cousin’s first and last name?
  • What was the name of your first stuffed animal?
  • In what city or town did your mother and father meet?
  • Where were you when you had your first kiss?
  • What is the first name of the boy or girl that you first kissed?
  • What was the last name of your third grade teacher?
  • In what city does your nearest sibling live?
  • What is your youngest brother’s birthday month and year? (e.g., January 1900)
  • What is your maternal grandmother’s maiden name?
  • In what city or town was your first job?
  • What is the name of the place your wedding reception was held?
  • What is the name of a college you applied to but didn’t attend?
  • Where were you when you first heard about 9/11?

Another trend that I have noticed is that financial institutions and credit companies have a lot of private data on you and other perspective borrowers. So they don’t need to ask you such security questions, they can generate they own and match your answers to the years of paper trail and data fingerprints they have on you. If you call your bank in the near future, don’t be surprised if they ask you who you lose your virginity to.

3 Responses to Stupid Security Questions

  1. Users should be able to create their own secondary security questions. That way, they alone can be responsible for the future effectiveness of such questions.

  2. This is just stupid, period. The security weenies are running the show, and they are not client-oriented or business-oriented. It’s the same as requiring two or more passwords. If requiring two passwords makes it more secure, why not require 3, or 4 , or 5? Or more??? Then it would be really secure! Face it, the security wonks won’t be satisfied until no one can access anything, then it’s absolutely secure!

  3. I hate these questions. So many of these questions from US-based companies are US-specific. This can be so annoying, for example a number of times I have had to give up on forms which ask for your telephone number or ‘ZIP code’, and then inform me that what I entered is not a valid telephone number / ‘ZIP code’. Here are my answers.

    – What was your childhood nickname?
    This ones OK.
    – In what city did you meet your spouse/significant other?
    I didn’t meet her in a city, it was in a pub car park in a small town,
    – What is the name of your favorite childhood friend?
    Ambiguous, different people at different times.
    – What street did you live on in third grade?
    What is third grade?
    – What is your oldest sibling’s birthday month and year? (e.g., January 1900)
    OK
    – What is the middle name of your youngest child?
    I haven’t got any children.
    – What is your oldest sibling’s middle name?
    She hasn’t got one.
    – What school did you attend for sixth grade?
    What is 6th grade?
    – What was your childhood phone number including area code? (e.g., 000-000-0000)
    OK, so long as it accepts a number which IS NOT in the format shown.
    – What is your oldest cousin’s first and last name?
    I don’t even know who my oldest cousin is.
    – What was the name of your first stuffed animal?
    Are you serious?
    – In what city or town did your mother and father meet?
    No idea.
    – Where were you when you had your first kiss?
    Can’t remember, but it was on the top deck of a double-decker bus.
    – What is the first name of the boy or girl that you first kissed?
    Can’t remember.
    – What was the last name of your third grade teacher?
    What is third grade?
    – In what city does your nearest sibling live?
    Define nearest? by location, age or what?
    Neither of my siblings lives in a city.
    – What is your youngest brother’s birthday month and year? (e.g., January 1900)
    I haven’t got any brothers.
    – What is your maternal grandmother’s maiden name?
    No idea.
    – In what city or town was your first job?
    OK
    – What is the name of the place your wedding reception was held?
    We didn’t have one. We eloped to Gretna Green.
    – What is the name of a college you applied to but didn’t attend?
    Ambiguous, there were so many of them, and I have forgotten them.
    – Where were you when you first heard about 9/11?
    9/11 = 9th November = the day the Berlin wall came down. I was in a supermarket and I saw a newspaper headline “Jetzt fallt die Mauer”.

Leave a Reply, Join the Conversation